[Vulnerability notice] Multiple NTP DoS vulnerabilities

Last Updated: Apr 02, 2018

NTF’s Network Time Protocol (NTP) Project released ntp-4.2.8p9 on November 21, 2016. This version addresses 10 vulnerabilities, including 1 high severity, 2 medium severity, 2 medium/low severity, and 5 low severity. Some of them can cause remote DoS.

The trap service is disabled for NTPD by default. If the trap service is enabled, an attacker can send a specially crafted packet to cause NULL pointer dereference, resulting in NTPD DoS.

CVE-2016-9310

Medium

The control mode functionality in NTPD has an exploitable configuration modification vulnerability, which allows an attacker to cause information leakage and DoS by sending a specially crafted control packet.

The zero origin time stamp bug (NTP Bug 2945) was fixed in ntp-4.2.8p6, but another problem was introduced in zero origin time stamp checks.

CVE-2016-7434

Low

If NTPD is configured to receive MRUList query requests, an attacker can send a specially crafted MRUList query request packet. Upon receipt of the packet, NTPD crashes, resulting in DoS.

CVE-2016-7429

Low

If NTPD is running on a host with multiple interfaces on different networks and the operating system does not check source addresses in received packets, an attacker can send a packet with a spoofed source address. As a result, NTPD cannot synchronize with the correct data source.

CVE-2016-7426

Low

If rate limiting is enabled for NTPD, an attacker can periodically send packets with a spoofed source address to prevent NTPD from receiving valid NPTD response packets.

CVE-2016-7433

Low

The fix for NTP Bug 2085 is incorrect (calculation is not performed properly). The problem caused by Bug 2085 is that the time base error is greater than the expected value.

By exploiting these vulnerabilities, hackers can cause NTP to exit. As a result, NTP cannot provide services.

Condition and method of exploitation

The high-severity vulnerability CVE-2016-9312 can be exploited remotely only in the Windows environment. Other vulnerabilities are not restricted by environments.

Affected scope

CVE

Affected versions

Unaffected versions

CVE-2016-9311

ntp-4.0.90 ≤ nptd version < ntp-4.2.8p9

ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94

CVE-2016-9310

ntp-4.0.90 ≤ nptd version < ntp-4.2.8p9

ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94

CVE-2016-7427

ntp-4.2.8p6 ≤ nptd version < ntp-4.2.8p9

ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94

CVE-2016-7428

ntp-4.2.8p6 ≤ nptd version < ntp-4.2.8p9

ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94

CVE-2016-9312

nptd version < ntp-4.2.8p9

ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94

CVE-2016-7431

ntp-4.2.8p8, ntp-4.3.93

ntp-4.2.8p9, ntp-4.3.94

CVE-2016-7434

ntp-4.2.7p22 ≤ nptd version < ntp-4.2.8p9

ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94

CVE-2016-7429

ntp-4.2.7p385 ≤ nptd version < ntp-4.2.8p9

ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94

CVE-2016-7426

ntp-4.2.5p203 ≤ nptd version < ntp-4.2.8p9

ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94

CVE-2016-7433

ntp-4.2.7p385 ≤ nptd version < ntp-4.2.8p9

ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94

Vulnerability detection

Manually check whether the NTP Port 123 is enabled and released to the Internet.

Run the following command to check the NTP version: ntpq -c version

Note: The PoC test method is not recommended.

How to fix or mitigate

The version update has been officially released. We recommend that you upgrade the service to the latest version.